I want to say a little more about being an agent of change. Really, an agent of change to improve the cybersecurity within your area of influence. Recently I’ve talked with my child’s school, a (very large) company’s website, and a bank about ways they can improve cybersecurity and found all of their responses seriously lacking.
At CIT we do third party due diligence (3PDD) tests on companies we partner with. The questionnaire poses questions on how the vendor stores data, reviews their past audit reports and other items surrounding their security posture. We then compare that data to evidence-based inquires we make with each company. Connecting a response on a questionnaire to their ability to demonstrate specific security controls.
3PDD is necessary as was learned by the AccuDoc breach. The AccuDoc breach was not an Atrium breach. It was a third party (AccuDoc) that was breached. The general public kept talking like it was Atrium that was breached though. The Wendy’s breach was also third party… Regulated companies are required to perform 3PDD. So it isn’t like Atrium and Wendy’s didn’t do them.
However and unfortunately most 3PDD are just a standard list of questions.
The questions get answered and sometimes the truth is stretched or the systems have changed without the person completing the questionnaire knowing it. It isn’t a true technical validation of the current state of the system(s). Lawrence was actually featured at the RSA Conference in 2019 to make those more successful by helping large companies gain relevant information rather than standard responses. I say all that because he is being an agent of change by trying to make the 3PDD process better and I’m just proud of him! ?
As a consumer you can’t exactly request the same things, but you can still be an agent of change!
Through this blog series, you’ve hopefully learned ways to be more secure. Teach others, have them read this blog, and most importantly, be the squeaky wheel.
What do I mean by be the squeaky wheel?
Speak up if you notice something is wrong!
If your child’s school emails you a clear text password in an email, if a website you visit has a corrupt certificate, or if your bank doesn’t have MFA for every single login, let them know that it’s a security risk and ask them to change! Businesses need to hear that security is important.
After all, it’s your data that’s at risk…
Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.
Contact us to learn more and let us show you how good I.T. can be!